Krebs on Security

In-depth security news and investigation

Posts Tagged: target.com

One of the most-viewed stories on this site is a blog post+graphic that I put together last year to illustrate the ways that bad guys can monetize hacked computers. But just as folks who don’t bank online or store sensitive data on their PCs often have trouble understanding why someone would want to hack into their systems, many people do not fully realize how much they have invested in their email accounts until those accounts are in the hands of cyber thieves.

This post aims to raise awareness about the street value of a hacked email account, as well as all of the people, personal data, and resources that are put at risk when users neglect to properly safeguard their inboxes.

Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email.

Your email account may be worth far more than you imagine.

How much are these associated accounts worth? There isn’t exactly a central exchange for hacked accounts in the cybercrime underground, but recent price lists posted by several miscreants who traffic in non-financial compromised accounts offer some insights.

One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.

As I’ve noted in previous stories, some crime shops go even lower with their prices for hacked accounts, charging between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few.

Even if your email isn’t tied to online merchants, it is probably connected to other accounts you care about. Hacked email accounts are not only used to blast junk messages: They are harvested for the email addresses of your contacts, who can then be inundated with malware spam and phishing attacks. Those same contacts may even receive a message claiming you are stranded, penniless in some foreign country and asking them to wire money somewhere.

Not long ago, PCs compromised by malware were put to a limited number of fraudulent uses, including spam, click fraud and denial-of-service attacks. These days, computer crooks are extracting and selling a much broader array of data stolen from hacked systems, including passwords and associated email credentials tied to a variety of online retailers.

This shop sells credentials to active accounts at dozens of leading e-retailers.

At the forefront of this trend are the botnet creation kits like Citadel, ZeuS and SpyEye, which make it simple for miscreants to assemble collections of compromised machines. By default, most bot malware will extract any passwords stored in the victim PC’s browser, and will intercept and record any credentials submitted in Web forms, such as when a user enters his credit card number, address, etc. at an online retail shop.

Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.

Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums. A miscreant who operates a Citadel botnet of respectable size (a few thousand bots, e.g.) can expect to quickly accumulate huge volumes of “logs,” records of user credentials and browsing history from victim PCs. Without even looking that hard, I found several individuals on Underweb forums selling bulk access to their botnet logs; for example, one Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $150.

The “Freshotools” service sells a variety of hacked e-retailer credentials.

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshippingschemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.